This invention relates to cryptography and more particularly, to encryption and decryption engines in which data formats are preserved during encryption and decryption operations.
Cryptographic systems are used to secure data in a variety of contexts. For example, encryption algorithms are used to encrypt sensitive information such as financial account numbers, social security numbers, and other personal information. By encrypting sensitive data prior to transmission over a communications network, the sensitive data is secured, even if it passes over an unsecured communications channel. Sensitive data is also sometimes encrypted prior to storage in a database. This helps to prevent unauthorized access to the sensitive data from an intruder.
Commonly used encryption algorithms include the Advanced Encryption Standard (AES) encryption algorithm and the Data Encryption Standard (DES) encryption algorithm. Using these types of algorithms, an organization that desires to secure a large quantity of sensitive information can place the sensitive information in a data file. The data file can then be encrypted in its entirety using the AES or DES algorithms.
Encrypting entire files of data can be an effective technique for securing large quantities of data. However, bulk encryption of files can be inefficient and cumbersome, because it is not possible to selectively access a portion of the encrypted data in an encrypted file. Even if an application only needs to have access to a portion of the data, the entire file must be decrypted, as it is not possible to decrypt only that portion of the encrypted file. Without the ability to selectively decrypt part of a file, it can be difficult to design a data processing system that provides different levels of data access for different application programs and for different personnel.
To avoid the difficulties associated with encrypting entire files of sensitive data, it would be desirable to be able to apply cryptographic techniques such as the AES and DES encryption algorithms with a finer degree of granularity. For example, it might be desirable to individually encrypt social security numbers in a database table, rather than encrypting the entire table. This would allow software applications that need to access insensitive information in the table to retrieve the desired information without decrypting the entire table.
Conventional encryption techniques can, however, significantly alter the format of a data item. For example, encryption of a numeric string such as a social security number may produce a string that contains non-numeric characters or a string with a different number of characters. Because the format of the string is altered by the encryption process, it may not be possible to store the encrypted string in the same type of database table that is used to store unencrypted versions of the string. The altered format of the encrypted string may therefore disrupt software applications that need to access the string from a database. The altered format may also create problems when passing the encrypted string between applications. Because of these compatibility problems, organizations may be unable to incorporate cryptographic capabilities into legacy data processing systems.
It would therefore be desirable to be able to provide cryptographic tools that are capable of encrypting and decrypting data without altering the format of the data.